使用 kubeadm 安裝 kubernetes 的證書有效期只有一年時間,所以我們需要在證書過過期之前對集群證書進行更新,在操作之前一定要先對證書目錄進行備份,防止操作錯誤進行回滾。
1. 檢查證書過期時間
首先,使用kubeadm certs check-expiration命令檢查集群中的證書過期時間。
~ # kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Jul 16, 2023 09:55 UTC 90d ca no
apiserver Jul 16, 2023 09:54 UTC 90d ca no
apiserver-etcd-client Jul 16, 2023 09:54 UTC 90d etcd-ca no
apiserver-kubelet-client Jul 16, 2023 09:54 UTC 90d ca no
controller-manager.conf Jul 16, 2023 09:55 UTC 90d ca no
etcd-healthcheck-client Jul 16, 2023 09:53 UTC 90d etcd-ca no
etcd-peer Jul 16, 2023 09:53 UTC 90d etcd-ca no
etcd-server Jul 16, 2023 09:53 UTC 90d etcd-ca no
front-proxy-client Jul 16, 2023 09:54 UTC 90d front-proxy-ca no
scheduler.conf Jul 16, 2023 09:55 UTC 90d ca no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Dec 28, 2030 09:14 UTC 7y no
etcd-ca Dec 28, 2030 09:14 UTC 7y no
front-proxy-ca Dec 28, 2030 09:14 UTC 7y no
有些低版本的使用的是
kubeadm alpha certs check-expiratio
2. 備份舊證書和配置文件等
在升級證書之前,需要備份舊證書和密鑰以免更新證書的時候出錯,kubeadm生成的證書一般在/etc/kubernetes/pki下
# 創建備份目錄
/home # mkdir /etc/kubernetes.bak
# 備份舊證書
/home # cp -r /etc/kubernetes/pki/ /etc/kubernetes.bak
# 備份配置文件
/home # cp /etc/kubernetes/*.conf /etc/kubernetes.bak
# 備份etcd數據
/home # cp -r /var/lib/etcd /var/lib/etcd.bak
/home # cp -r /var/lib/etcd /var/lib/etcd.bak
3. 執行證書升級命令
/home # kubeadm certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.
再次檢查證書過期時間
/home # kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Apr 16, 2024 08:14 UTC 364d ca no
apiserver Apr 16, 2024 08:14 UTC 364d ca no
apiserver-etcd-client Apr 16, 2024 08:14 UTC 364d etcd-ca no
apiserver-kubelet-client Apr 16, 2024 08:14 UTC 364d ca no
controller-manager.conf Apr 16, 2024 08:14 UTC 364d ca no
etcd-healthcheck-client Apr 16, 2024 08:14 UTC 364d etcd-ca no
etcd-peer Apr 16, 2024 08:14 UTC 364d etcd-ca no
etcd-server Apr 16, 2024 08:14 UTC 364d etcd-ca no
front-proxy-client Apr 16, 2024 08:14 UTC 364d front-proxy-ca no
scheduler.conf Apr 16, 2024 08:14 UTC 364d ca no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Dec 28, 2030 09:14 UTC 7y no
etcd-ca Dec 28, 2030 09:14 UTC 7y no
front-proxy-ca Dec 28, 2030 09:14 UTC 7y no
證書過期時間已更新
